There’s just no denying it – We are in the midst of a digital revolution. And we can safely say this revolution is largely driven by data. Data is the new oil in this age of analytics. Every sphere of life is now influenced by data and data-driven decisions are what is propelling the world. The rise of the data economy has companies fishing for more and more data and tech giants like Facebook, Amazon and Google have built their empire on the foundation of data.
The amount of data we produce every day is truly mind-boggling. There are 2.5 quintillion bytes of data created each day at our current pace, but that pace is only accelerating with the growth of the Internet of Things (IoT).
With all of us leaving huge traces of digital footprints, a truly alarming question arises – how is our data secured and protected? We have laws established to protect our physical selves; but what about our digital presence? This article helps demystify data protection and data privacy.
Now that we have established that data steers the world, let’s get to its different types.
Non-personally Identifiable Information (Non-PII): This is the type of data that cannot be traced back to an individual. For instance, a survey where a group of people are asked to just give their favourite flavour of ice cream. In this case, this information just contains user opinion on their favourite ice cream flavour and cannot be traced to any one individual.
Personally Identifiable Information (PII): Though the definition can vary slightly across different regions of the world, let’s stick to the one provided by the National Institute of Standards and Technology (NIST), which is a part of the U.S. Department of Commerce that offers guidelines on technology-related matters, like how to adequately protect data. According to the NIST, Personally Identifiable Information is any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, etc. Some institutions also include home address, email address and telephone number under this category.
Sensitive PII: PII is considered to be sensitive if the loss, compromising, or disclosure without authorization of this data could result in harm, embarrassment, inconvenience, or unfairness to an individual. For instance, the following information is considered to be sensitive PII – medical records, religious beliefs, sexual orientation, employment information, biometric data, etc. All PII – whether sensitive or not – fall under the category of personal data.
Data Protection and Data Privacy
Data protection and privacy apply primarily to personal information. When organizations seek to protect their user’s data, it is necessary that they understand the data they need to safeguard. Data protection is a set of strategies and processes that can be used to secure the confidentiality, availability, and integrity of data. A data protection strategy is vital for any organization that collects, handles, or stores sensitive data. A successful strategy can help prevent data loss, theft, or corruption and can help minimize damage caused in the event of a breach or disaster.
Though used interchangeably, data privacy is not the same as data protection, which is aimed at protecting assets from unauthorized use, while data privacy defines who has authorized access. One can say that data protection is mostly a technical control, while data privacy is more of a process or legal matter. Data protection standards might talk about preventive and detective controls like encryption of data in rest, motion and use, and the establishment of security monitoring and logging to ensure data remains in safe hands. These controls help prevent data from being subjected to unauthorized access. However, data privacy on the other hand talks about the regulations, or policies, that govern the use of data when shared with any entity. It talks about who has authorized access and puts a system of checks and balances to ensure that the data collected by the organizations from its customers are only used for the purposes for which it was intended. It also talks about data breaches and the legal actions and penalties that the organization has to face in the event of one. Data privacy comes more from a legal and regulatory level whereas data protection takes shape from a technical standpoint.
Regulations on Data Privacy
Several countries have come to realize the importance of data privacy and have started coming with their own regulations on how data needs to be collected, managed, processed, and erased. However, the pioneer in this space was the Global Data Protection Regulation (GDPR) of the European Union. This was passed on 25th May 2018 and transformed the landscape of data, putting more power into the hands of consumers, by giving them new rights on how they wanted their data to be processed. In an unprecedented first, consumers were then provided with privacy rights. It gave a structured definition to the whole arena of data processing. Here are some key terminologies from the GDPR.
Personal data: Personal data is any information that relates to an individual who can be directly or indirectly identified. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Data subject: The person whose data is processed. These are mainly customers or site visitors.
Data controller: The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
Data processor: A third party that processes personal data on behalf of a data controller. In case an organization decides to outsource some of its data, the third-party to whom the data has been outsourced to is the data processor.
The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. Below is a rundown of data subjects’ privacy rights:
The right to be informed: Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes.
The right of access: After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes
The right to rectification: A data subject has the right to have incorrect or incomplete data corrected.
The right to erasure: A data subject has the right to have personal data permanently deleted.
The right to restrict processing: A data subject has the right to block or suppress personal data being processed or used.
The right to data portability: A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format.
The right to object: A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent.
Rights in relation to automated decision making and profiling: A data subject has the right to demand human intervention, rather than having important decisions made solely by algorithm.
All companies residing in the European Union or processing data of residents of the European Union are required to be compliant with the GDPR. Failure to do so might result in huge fines totaling to a fine of €20 million or 4% of annual global turnover – whichever is greater. Following the footsteps of the GDPR, several other countries have brought in their own privacy legislation as well. Recently, California and Virginia in the US brought in their own privacy laws. India too has its Personal Data Protection Bill.
To sum it up, with everything turning digital, with our digital lives intertwined with our normal existence, data protection and privacy is imperative to protect both individuals and organizations. The first step in the right direction for any individual is to be aware of his or her rights and abide by data processing norms to ensure the personal data remains safe and secure.
-Rekha Chander (Freelancer)